Re: [fw-wiz] Firewalls that generate new packets..

Hi Kelly,

Lets say I am kind of disappointed. I figured that your question kick
off a "proxy" versus "everything else" type "discussion". It didn't .
Ah the 90s.... good times good times...

What I believe you are referring too when you talk about "generate a
new packet ... " is a proxy firewall. This is a piece of code that
will take the original packet, suck out the contents, (the content may
be inspected at this point but rarely happens), build a new packet,
blow the content back into the new packet, and send it along its way
(assuming it meets other criteria such as being allowed, valid, etc).
Commercial examples of this type of firewall are Sidewinder or
Symantec Enterprise Firewall (formally known as Raptor). The other
type of firewall (and market leader) would be "stateful". Examples of
this would be Checkpoint, Pix (ASA), and pretty much every kitchen
appliance these days.

What would be the advantage of this approach? Well - the primary
advantage would be that there is no "direct" path to the service that
you need to talk to. This is helpful especially in the days where IP
stacks were poorly written and attacks against them were more
realistic. If you use an application specific proxy (http, smtp, etc)
then you have an improved level of packet validation. This could be
helpful to protect against potential unknown attacks against
applications. There are a few more but I don't think they are that

What would be a disadvantage? Some say performance. I never bought
that argument. Its a sizing issue. The firewalls I've dealt with
that handled the highest amount of packets were proxies. Other say
price. This is a true argument - commercial proxy firewalls were
traditionally a higher pricepoint than their stateful counterparts.

I've done a lot of firewall conversions in the last few years. The
primary reason organizations cited as a reason to move away from proxy
firewalls was management. If you have to manage more than, say, one
firewall - the management interfaces of the two market leaders in the
proxy space have always fallen down (read: royally sucks). Checkpoint
has always done a better job at this. And organizations like the
familiarity of the Pix (ASA) because everything else they have are
Cisco devices. Whether its a better option in "securing" whatever you
are trying to "secure" rarely enters the discussion.

In the end, stateful and proxy firewalls will both do the job that we
ask firewalls to do and are only one component of an overall security

cue "discussion"


On Nov 13, 2007, at 9:58 PM, Kelly Robinson wrote:

Some firewalls, after receiving a packet, generate a new packet and
populate it with data from the original, rather than forwarding the
same packet that was received. What are the advantages and
disadvantages of this approach? And does anyone have any examples of
any firewalls that do this on the market?


- k
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Cisco 2621 opinions
    ... packet filtering is in place, ... >> IPFWIOS with CBAC is a great cheap firewall ... it is extremely limited (it does stateful ...
  • Re: [fw-wiz] FW and TCP Sessions
    ... >if a FW is said to be a stateful firewall, ... >i haven't sent a TCP SYN to initiate a TCP Session ... >before sending this TCP packet? ... what a "stateful" firewall is or does except that "everyone knows ...
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... behind the firewall then it's a layer-7 problem for the service ... regexp match causes packet drop ... is exactly why I used the term "placebo" for "stateful ... inspection"; accupuncture patients report the same degree ...
  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...